How to share a reverse SSH tunnel on a network

reverse-tunnelssh

I have a remote computer on a 3G PPP connection.
I can't connect to this computer via the Internet as I believe the PPP IP pool uses NAT to connect to the Internet (I get given a 10.x.x.x address when I connect)

So I get the remote computer to create a SSH connection to a server on the Internet.
I can then tunnel down this connection from the server and get a shell on the remote computer. Great.

I want to be able to access the Web interface of a camera on the remote network.
So I create a second SSH tunnel that redirects traffic to the address of the camera, ie:
ssh -R 9000::

From my Internet host this works, I get the web page:
wget 127.0.0.1:9000
Great

Now I need this to work from my client PC so:

Client PC –> Internet server –tunnel–> Remote computer –> IP camera

So essentially I need to make my reverse SSH tunnel available over the network.

I assumed if I just used iptables to forward incoming traffic on a certain port on my Internet server to 127.0.0.1:9000 that would work but I haven't been able to make it work after hours of playing with iptables, NAT etc.

Should this work?

Best Answer

I think you need -o GatewayPorts=yes to allow other hosts than local to use your tunnel. From the man-page:

Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh(1) binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be “yes” or “no”. The default is “no”.

Related Solutions

Accessing localhost web server via reverse SSH tunnel and URL

-R 8080:localhost:80 is usually not enough. See man 1 ssh [emphasis mine]:

-R [bind_address:]port:host:hostport
[…]

Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.

[…]

By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address *, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

Your tries with 127.0.0.1:8080 on the server indicate the listening socket is bound to the loopback interface. Most likely it is not bound to any other interface.

You need to explicitly specify bind_address or to use * or to use an empty string as bind_address. The option with an empty bind_address looks like this (note the leading :):

-R :8080:localhost:80

Additionally the state of GatewayPorts in the sshd_config on the server is important. From man 5 sshd_config:

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be no to force remote port forwardings to be available to the local host only, yes to force remote port forwardings to bind to the wildcard address, or clientspecified to allow the client to select the address to which the forwarding is bound. The default is no.

To achieve what you want the option must not be no. Note no is the default value, so unspecified GatewayPorts still means no. The value of yes will make -R 8080:localhost:80 work like -R :8080:localhost:80.

I advise GatewayPorts clientspecified in the server config and ssh -R :8080:localhost:80 … on the client.

Possible additional problems:

The firewall on the server may block connections to the 8080 port coming in from the Internet.
The local HTTP server may reject requests that use example.com (compare Why does the original site work, but port forwarding to the same site fails?).

Best Answer

Related Solutions

Accessing localhost web server via reverse SSH tunnel and URL

Related Question